Method for network security using statistical object identification

ABSTRACT

Methods to enforce network policy based on identity authentication at a network endpoint device by offloading the authentication to a network attached authentication devices are disclosed. The authentication device may use Statistical Object Identification to perform the authentication. The present invention greatly reduces the resources needed by the network endpoint device to perform the authentication and eliminates the topological restrictions found in traditional network appliance based approaches.

CROSS-REFERENCE TO RELATED U.S. PATENT APPLICATIONS & CLAIMS FOR PRIORITY

The Present Patent Application is a Continuation-in-Part Application, and is related to Pending Parent Application U.S. Ser. No. 13/987,747 filed on 27 Aug. 2013; and to U.S. Pat. Grant No. 8,572,697 filed 18 Nov. 2011. In accordance with the provisions of Sections 119 &120 of Title 35 of the United States Code of Laws, the Applicant hereby claims the benefit of priority for any and all subject matter that is commonly disclosed in U.S. Ser. No. 13/987,747, U.S. Pat. No. 8,572,697, and in the Present Application.

FEDERALLY SPONSORED RESEARCH OR DEVELOPMENT

None.

FIELD OF THE INVENTION

The present invention pertains to methods for efficiently and securely authenticating the Identity of network traffic in arbitrary network topologies using statistical object identification.

BACKGROUND OF THE INVENTION

Organizations that use computers and computer networks continue to work on improving the security of both the networks and the computers themselves. Some security technologies are most effective when implemented directly on the computer. Historically, some security functions have been deployed as network devices, to allow a single device to provide security for multiple computers. Each of these approaches has pros and cons.

For security technologies deployed directly on each computer, called an “endpoint solution,” the technology uses the resources of the endpoint computer including CPU processor cycles, memory and network bandwidth. For some security technologies, this use of endpoint resources can be substantial. Additionally, some security technologies require the distribution of cryptographic keys to every participating entity. When keys are widely distributed, the protection of those keys becomes more difficult to maintain.

In large organizations, often with many independent departments, networks and computer services may be added and organically grown without centralized planning, leading to network resources being deployed somewhat arbitrarily throughout the network. These network resources may have multiple network interfaces. When attempting to enforce network security policies, the lack of planning often leads to a lack of achievable policy enforcement points that do not adversely impact network and resource performance without the wholesale re-architecture of the network and the redeployment of the network resources. This can be exceedingly costly, in both dollars and time.

For policy enforcement points and security technologies deployed on a network appliance, the appliance may become a bottleneck and impact the performance of traffic flowing through it. Network security appliances also have a network topology requirement that the traffic must pass through the appliance for it to provide any security functions. For computers communicating with one another on a single LAN or network subnet, this topology requirement is often unachievable. When a computer has multiple network interfaces, this further complicates the network topology and complicates consistent implementation of security functions.

An analogy to this in the physical world is a building with a security guard at the entrance checking everyone's driver's license, their identity, to insure that they have business in the building. If there are very few visitors to each building, then each security guard may not be busy most of the time. Instead of having a security guard at each building that is being protected, some of the buildings may have a camera and a mechanism to remotely unlock the door. A security guard, at a location remote from the building being entered, sees the person wishing to enter the building, can see their driver's license and to let the person in by sending a signal to the door unlock mechanism. This is analogous to what the present invention does within a network of computers.

A method to enable endpoint security that utilizes a security appliance that does not require that the appliance to be in the network data path, would constitute a major technological advance, and would satisfy long felt needs and aspirations in the cyber security industry.

SUMMARY OF THE INVENTION

The present invention has two components; a peer authentication driver and an authentication device. The peer authentication driver, installed on a network endpoint device provides network identity authentication by monitoring incoming IP packets for TCP SYN bit and securely sending those IP packets to an authentication device for authentication. The authentication device performs authentication and, if successfully authenticated, securely sends the IP packet and additional authentication information back to the peer authentication driver for delivery to the endpoint's TCP/IP stack. The authentication device may use Statistical Object Identification (SOI) or Transport Access Control (TAC) to perform the authentication. All subsequent IP packets belonging to the same TCP session are delivered directly to the endpoint's TCP/IP stack.

A BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is an illustration of three buildings and three security officers.

FIG. 2 is an analogy of the present invention.

FIG. 3 is an analogy of the present invention.

FIG. 4 is an illustration of an IP packet.

FIG. 5 is an illustration of a TCP header.

FIG. 6 is Flowchart 1 of the present invention, which describes the processing of an IP packet received from a remote network device.

FIG. 7 is Flowchart 2 of the present invention, which describes the processing of an IP packet by an authentication device.

FIG. 8 is Flowchart 3 of the present invention, which describes the processing of an IP packet from an authentication device.

FIG. 9 is Flowchart 4 of the present invention, which describes the processing of an IP packet received from the network endpoint device's TCP/IP protocol stack.

FIG. 10 is Flowchart 5 of the present invention, which describes the processing of a rule received from the authentication device.

FIG. 11 is an architectural depiction of the present invention in a network endpoint device.

FIG. 12 is an architectural depiction of the present invention in a network endpoint device, showing the flow of an IP packet with a TCP header containing TCP SYN bit coming from a remote network device and being sent to an authentication device.

FIG. 13 is an architectural depiction of the present invention in a network endpoint device, showing an alternate flow of an IP packet with a TCP header containing TCP SYN bit coming from a remote network device and being sent to an authentication device.

FIG. 14 is an architectural depiction of the present invention in a network endpoint device, showing the flow of an IP packet with a TCP header matching a session descriptor coming from a remote network device and being delivered to the TCP/IP protocol stack.

FIG. 15 is an architectural depiction of the present invention in a network endpoint device, showing the flow of a rule coming from an authentication device and being delivered to the peer authentication driver.

FIG. 16 is an architectural depiction of the present invention in a network endpoint device, showing an alternate flow of a rule coming from an authentication device and being delivered to the peer authentication driver.

FIG. 17 is an architectural depiction of the present invention in a network endpoint device, showing the flow of an IP packet coming from the TCP/IP protocol stack and being sent to a remote network device.

FIG. 18 is a topological depiction of the present invention in an operating context.

FIG. 19 is a topological depiction of the present invention in an operating context, showing the flow of an IP packet with a TCP header containing TCP SYN bit coming from a remote network device.

FIG. 20 is a topological depiction of the present invention in an operating context, showing the flow of an IP packet with a TCP header containing TCP SYN bit being sent from a network endpoint device to an authentication device.

FIG. 21 is a topological depiction of the present invention in an operating context, showing the flow of an IP packet with a TCP header containing TCP SYN bit being sent from an authentication device back to a network endpoint device.

FIG. 22 is a topological depiction of the present invention in an operating context, showing the flow of IP packets with their TCP headers matching a session descriptor between a remote network device and the network endpoint device.

FIG. 23 is a topological depiction of the present invention in an operating context, showing the authentication device sending log information to a logging device.

A DETAILED DESCRIPTION OF PREFERRED & ALTERNATIVE EMBODIMENTS I. Introduction to the Invention

An analogy of the present invention is a set of buildings 2 protected by a security office 4, which is shown in FIG. 1. The security officer's 4 job is to inspect the driver's license, the identity, of each person that enters the building 2 and determine if they have business in the building 2 before letting them proceed. If the building 2 does not get many visitors, then the security officer 4 will not be very busy. To get better use from the security officer 2, security camera's 5 are placed at the entrance of some of the buildings 2, as shown in FIG. 2. A security officer 4 is no longer needed at the buildings 2 with the security camera. The security officer 4 can see a person arriving at the building 4 and the identity in the form of a driver's license as an image 7 on a security monitor 6. Once the person has proven who they are and the security officer 4 has determined that they have business in the building 2, the security officer 4 sends a door unlock signal 8 to open the door and let the person in, as shown in FIG. 3. Although different in the identities used, the authentication mechanisms employed and the resources protected, this is analogous to the present invention.

II. Overview of the Invention

The present invention provides a mechanism to enforce network policy based on identity authentication at a network endpoint device 10 by offloading the authentication process to a remote authentication device 18. An IP packet is shown in FIG. 4. By only sending those IP packets 12 that may contain identity 22 information to the authentication device 18, the network traffic flow between the remote network device 11 and the network endpoint device 10 is maintained once the TCP session initiation has been authenticated. This is particularly important when both the network endpoint device 10 and the remote network device 11 are located on the same LAN segment or network subnet, as traffic between two devices on the same LAN or subnet often directly communicate with each other, their traffic being processed by a local network switch. In this environment, known as a peering environment, it is often not possible to have a network appliance performing security functions such as authentication in the traffic path. The present invention allows the use of an authentication device 18 without requiring that it is inserted directly into the network traffic path between two peering devices, hence the name of Peer Authentication.

When a network endpoint 10 receives an IP packet 12 with a TCP header 14 with the TCP SYN bit set 16, this indicates that a remote network device 11 is requesting the establishment of a TCP session. A TCP header 14 is shown in FIG. 5. The sender, in this case the remote network device 11, can be authenticated using a process called Transport Access Control (TAC). When a large number of identities 22 are in use, the TAC process may consume a large number of compute and memory resources. To prevent the TAC process from consuming a large number of compute and memory resources on every network endpoint device 10, the TAC process can be offloaded to an authentication device 18. This authentication device 18 can process authorization requests from many network endpoint devices 10.

Other authentication mechanisms may employ statistical object identification (SOI) to perform the authentication. Similarly to TAC, when large numbers of identities 22 are in use, the SOI process may consume a large number of compute and memory resources. The SOI processes can be offloaded to an authentication device 18 which performs authentication on behalf of many network endpoint devices 10.

When a network endpoint 10 receives an IP packet 12 requesting the establishment if a TCP session, the request is sent to an authentication device 18. After authenticating the IP packet 12, the authentication device 18 returns the IP packet with any additional information needed for processing and the IP packet 12 is delivered to the TCP/IP protocol stack 32, establishing the TCP session. Subsequent IP packets 12 that are part of the same TCP session are delivered directly to the TCP/IP protocol stack 32.

In a preferred embodiment, which is illustrated in FIG. 6, the peer authentication driver 46, which resides between the TCP/IP protocol stack 32 and the network device driver 48, may be assisted by a peer authentication management application 44. The peer authentication management application 44 is an application that establishes secured communications between the network endpoint device 10, the authentication device 18, and the peer authentication driver 46. The peer authentication management application 44 conveys the network endpoint's Identity to the authentication device. A preferred mechanism for conveying this Identity is to establish a secure tunnel to the authentication device 18 and using the network endpoint's 10 X.509 certificate to establish the secure tunnel. The peer authentication management application 44 is responsible for communicating IP packets 12, policy rules 26 and other information between these entities.

III. Statistical Object Identification

Statistical Object Identity (SOI) is described in U.S. Pat. No. 8,572,697, entitled Method for Statistical Object Identification, and in U.S. Ser. No. 13/987,747, entitled Method for Statistical Object Identification. The Applicants hereby incorporate both of these documents by reference.

One limitation of current information networks is that it is difficult to verify or approve a communication before the communication has been allowed to penetrate a network. One reason for this difficulty is that the means of verification, which is called a “certificate,” is too large to send to the network in the initial set of digital information which initiates the communication, and which ultimately leads to an authentication.

Statistical Object Identity (SOI) solves this problem by reducing the information in the certificate which is used to authenticate the communication before it is allowed to proceed by converting the certificate to a much smaller “statistical object.” SOI allows the network to determine the identity of the initiator of the communication before the communication is given access to the network. This method provides a security feature that substantially eliminates potentially detrimental and malicious attacks that could be perpetrated on the network using conventional technology.

SOI operates by using an identity certificate as an original object and using a sender to communicate a stream of statistical objects, based on the original object, to a communications receiver. The communications receiver aggregates the received statistical objects until an original object is unambiguously determined and the calculated probability satisfies a trusted probability threshold. If the communications receiver fails to unambiguously determine the original object or if the calculated probability fails to satisfy the probability threshold, the original object, the identity, is not recognized. An indication is made to communicate the identity determined by SOI or an indication is made to communicate of the lack of identity.

IV. Transport Access Control

Transport Access Control (TAC) is described in U.S. Pat. No. 8,346,951, entitled Method for First Packet Authentication. The Applicants hereby incorporate this document by reference.

TAC provides a mechanism to authenticate a network connected device on the first packet of a TCP session request. TAC enables a network connected device to authorize a received TCP connection request without relying solely on a initiator's IP address. If the authorization is successful, then the connection establishment process is continued. If the authorization fails, the request is “black-holed,” even though there is an application associated with the TCP port in the connection request. This protects against TCP port scanning and network reconnaissance.

The authentication mechanism uses various fields in the IP and TCP headers in the TCP connection request. All of these fields have a primary function that is defined in the IP and TCP specifications. The use of existing fields to pass an authorization key is necessary because the TCP protocol specification does not provide a mechanism to pass user data on a TCP connection request.

The goal of TAC is to enable an authentication mechanism that functions using only the fields in the IP and TCP headers that are normally present in the TCP connection establishment request. Within the IP and TCP headers there are fields that have strictly defined meanings that do not allow any additional encoding because this would alter the functionality of the IP and/or TCP protocols. Examples of such fields are the Source Address, Destination Address, Checksum, Source Port and Destination Port fields.

Within the TCP header, on a connection request (TCP-SYN), the Sequence Number (SEQ) field specifies the starting sequence number for which subsequent data octets are numbered. Additional TCP specifications recommend that this number be randomly generated.

A remote network device 11 (TCP session initiator) generates an authorization key, now called an identity token. The initiator then sends a TCP connection request, inserting the authorization key in the SEQ field of the TCP header 14, to the desired network connected device. The receiving device, upon receiving the connection request, extracts the authorization key. The receiving device then processes the authorization key to authenticate it.

TAC provides methods for concealing the existence of a device connected to a computer network or concealing the existence of certain applications running on a device connected to a computer network. This concealment works by authorizing a TCP connection request using an authorization key embedded within the TCP connection request.

V. Definition of Terms

Arbitrary Network Topology—Without regard to the layout of devices on a network.

Authentication—The process of verifying the authenticity of a presented identity credential.

Authentication Device—A device that performs authentication.

Authentication Processing Information—Information provided by an authentication device to a second entity which enables the second entity to complete the authentication process. In the case of TAC, the authentication device provides a second Identity token which is used for bidirectional authentication on the TCP SYN/ACK transaction.

Authenticated Session Table—A table containing session descriptors of TCP sessions that have been authenticated.

Authenticated Session Processing—Authenticated session processing uses authentication processing information to properly respond to authenticated sessions. In the case of TAC, the authentication session processing inserts a bidirectional identity token into TCP SYN/ACK transaction.

Bidirectional Authentication—Authentication that occurs between two parties where each party is authenticated. This is in contrast to unidirectional authentication where only one party is authenticated.

Connection—A logical pairing of two devices that enable them to communicate. A connection utilizes a series of packets to accomplish this. A TCP connection is an example of a connection.

Connection Request—A request by one device to another device to create a connection.

Context Information—Information that allows the peer authentication driver to process the response from the authentication device without requiring the peer authentication driver to save any state regarding the IP packet. Context information will be returned by the authentication device with the IP packet once the IP packet has been authenticated.

Device—A device is any object that is capable of being attached or connected to and communicating on a network. Examples of devices include computers, servers, clients, laptops, PDAs, cell phones, smart phones, network appliances, storage systems, virtual appliances, switches, routers, load balancers, caches, intrusion detection systems, VPNs, authentication devices, intrusion prevention systems, and firewalls.

Endpoint—Any network device that has an IP address and the ability to perform TCP/IP protocol processing.

Endpoint Security—Security processing performed on an endpoint. This may include identity credential authentication, access authorization, policy enforcement, behavioral analysis, logging and other security related actions and behaviors.

Hypervisor—In virtualization technology, hypervisor is a software program that manages multiple operating systems (or multiple instances of the same operating system) on a single computer system.

Identity—The fact of being who or what a person or thing is.

Identity Credential—An object that is verified when presented to the verifier in an authentication transaction. Identity Credentials may be bound in some way to the individual or device to whom they were issued.

IP—IP is the Internet Protocol. The Internet Protocol is a data oriented protocol used by devices to communicate across a packet switched network. IP information is carried by an IP header in an IP packet. The IP header contains device address information, protocol control information and user data information.

Logging Device—A device that receives and processes logs from other devices, often for purposes of aggregation, storage, display, data mining or analytics.

Network—A network is a collection of computers, servers, clients, routers and devices that are connected together such that they can communicate with each other. The Internet is an example of a network.

Network Appliance—A fixed function device attached to a network for the purpose of performing set of functions such as computational, storage, networking or security.

Network Device Driver—A software module that communicates with a network interface. A network device driver is responsible for customizing the interactions to and from a specific network interface,

Network Interface—The physical or logical boundary between a network and a device. A network interface is responsible for formatting the network frames or packets as appropriate for the network medium. Many devices have multiple network interfaces.

Network Policy—The rules governing network and network connected device access. A network policy describes what network devices can access other networks and network devices. Network policy is often applied at policy enforcement points or at an endpoint.

Network Topology—The physical or logical layout of devices on a network. Every network has a topology, or the way that the devices on a network are arranged and how they communicate.

Peer authentication driver—A software module that enables the authentication of network traffic using an authentication appliance.

Peering Environment—A network environment where two endpoints communicate with each other without traversing a common policy enforcement point.

Peer Authentication Management Application—A software module that assists the peer authentication driver. The peer authentication management application is usually instantiated as an application and communicates with an authentication device on behalf of the peer authentication driver. The peer authentication management application provides management and communications services for the peer authentication driver.

Physical Appliance—A network appliance where the appliance functionality is rendered in physical hardware and software. Compare against a virtual appliance where the appliance functionality is rendered solely in software.

Policy Enforcement Point (PEP)—In networking, a chokepoint where network policy is enforced.

Remote Network Device—A device, of a pair of devices that forms a connection. Connections involve pairs of devices, the remote network device is half of the connection pair, indicating the remote device.

Session Descriptor—A data structure that describes the TCP session (source IP address, source TCP port, destination IP address, destination TCP port), context information and authentication processing information.

SOI—Statistical Object Identification. A method of communicating a statistical representation of an original object.

SSL—Secure Sockets Layer. A security protocol defined by the Internet Engineering Task Force (IETF).

TAC—Transport Access Control. A method of determining identity on the first packet of a TCP session.

TAC Bidirectional Identity Token—A TAC Identity token that is communicated during TCP SYN/ACK processing.

TCP—TCP is the Transmission Control Protocol. Using TCP, networked devices can create connections to one another, over which they can send data. The TCP protocol insures that data sent by one endpoint will be received in the same order by the other, and without any pieces missing. The TCP protocol also distinguishes data for different applications (such as a Web server and an email server) on the same device.

TCP SYN/ACK Processing—The response by a TCP/IP protocol stack upon receiving a TCP SYN to establish a TCP session. This is performed in accordance with the TCP specification.

TCP SYN Bit—A control bit within the TCP header that indicates a request for TCP session establishment.

TCP Session Initiation—The process of establishing a TCP session. This is performed in accordance with the TCP protocol specification.

TLS—Transport Layer Security. A security protocol defined by the Internet Engineering Task Force (IETF).

Virtual Appliance—A network appliance where the appliance functionality is rendered solely in software. Compare against a virtual appliance where the appliance functionality is rendered in physical hardware and software.

VI. Preferred and Alternative Embodiments

FIGS. 1, 2 and 3 depict prior art which is used as an analogy to help explain the present invention.

FIG. 1 is an illustration of three buildings 2, each protected by a security officer 4.

FIG. 2 is an analogy of the present invention, showing two buildings 2 with security cameras 5, and a building 2 with a security officer 4 and a security monitor 6. An image 7 from the security camera 5 is shown on the security monitor 6.

FIG. 3 is an analogy of the present invention, showing two buildings 2 with security cameras 5, and a building 2 with a security officer 4 and a security monitor 6. The security officer 4 is sending a door unlock signal 8 to one of the buildings 2. FIG. 1 is an illustration of an IP packet 12, including a TCP header 14.

FIG. 4 is an illustration of an IP packet 12, including a TCP header 14.

FIG. 5 is an illustration of a TCP header 14 and shows the location of the TCP SYN bit 16.

FIG. 6 is a flowchart of the present invention which describes processing of an IP packet 12 by a peer authentication driver 46.

FIG. 7 is a flowchart of the present invention which describes processing of an IP packet 12 by an authentication device 18.

FIG. 8 is a flowchart of the present invention which describes processing of an authenticated IP packet 12 containing TCP SYN bit 16 by a peer authentication driver 46.

FIG. 9 is a flowchart of the present invention which describes processing of an IP packet 12 received from a TCP/IP protocol stack 32 by a peer authentication driver 46.

FIG. 10 is a flowchart of the present invention which describes processing of a policy rule 26 received from an authentication device 18 by a peer authentication driver 46.

FIG. 11 is an architectural depiction of the present invention in a network endpoint device 10. A network interface 49 conveys packets between a network (not shown) and the network device driver 48. The network device driver 48 processes packets and conveys packets and information between the network interface 49 and the peer authentication driver 46. The peer authentication driver 46 performs authentication or causes authentication to be performed. The peer authentication driver 46 conveys packets and information between the network device driver 48, the TCP/IP protocol stack 32 and the Peer Authentication Management Application 44. The TCP/IP protocol stack 32 performs TCP/IP processing and conveys packets and information between the peer authentication driver 46, the Peer Authentication Management Application 44 and other applications. The Peer Authentication Management Application 44 provides management and communications services for the peer authentication driver 46. The Peer Authentication Management Application 44 conveys packets and information between the peer authentication driver 46 and the TCP/IP protocol stack 32.

FIG. 12 is an architectural depiction of the present invention in a network endpoint device 10, showing the flow of an IP packet 12 with a TCP header 14 containing TCP SYN bit 16 being received by a network interface 49, being conveyed to a network device driver 48 and being subsequently conveyed to a peer authentication driver 46. The peer authentication driver 46 sends the IP packet 12 to an authentication device 18 (not shown) by conveying the IP packet 12 to the network device driver 48 which subsequently conveys the IP packet 12 to the network interface 49.

FIG. 13 is an architectural depiction of the present invention in a network endpoint device 10, showing an alternate flow of an IP packet 12 with a TCP header 14 containing TCP SYN bit 16 being received by a network interface 49, being conveyed to a network device driver 48 and being subsequently conveyed to a peer authentication driver 46. The peer authentication driver 46 sends the IP packet 12 to an authentication device 18 (not shown) by conveying the IP packet 12 to a Peer Authentication Management Application 44 which subsequently conveys the IP packet 12 via an established TCP session to the TCP/IP protocol stack 32. The TCP/IP protocol stack conveys the IP packet 12 to the peer authentication driver 46 which subsequently conveys the IP packet 12 to the network device driver 48 which subsequently conveys the IP packet 12 to the network interface 49.

FIG. 14 is an architectural depiction of the present invention in a network endpoint device 10, showing the flow of an IP packet 12 with a TCP header 14 being received by a network interface 49, being conveyed to a network device driver 48 and being subsequently conveyed to a peer authentication driver 46. The peer authentication driver 46 upon locating a matching session descriptor 28 conveys the IP packet 12 to the TCP/IP protocol stack 32 for processing.

FIG. 15 is an architectural depiction of the present invention in a network endpoint device 10, showing the flow of a policy rule 26 being received by a network interface 49, being conveyed to a network device driver 48 and being subsequently conveyed to a peer authentication driver 46 for processing.

FIG. 16 is an architectural depiction of the present invention in a network endpoint device 10, showing an alternate flow of a policy rule 26 being transported within a previously established TCP session. An IP packet 12 containing and TCP header 14 and the policy rule 26 is received by a network interface 49, being conveyed to a network device driver 48 and being subsequently conveyed to a peer authentication driver 46. The peer authentication driver 46 upon locating a matching session descriptor 28 conveys the IP packet 12 to the TCP/IP protocol stack 32 for processing. The TCP/IP protocol stack 32 performs the protocol processing and conveys the policy rule 26 to the Peer Authentication Management Application 44. The Peer Authentication Management Application 44 conveys the policy rule 26 to the peer authentication driver 46.

FIG. 17 is an architectural depiction of the present invention in a network endpoint device 10, showing the flow of an IP packet 12 being generated from the TCP/IP protocol stack 32 and being conveyed to the peer authentication driver 46. The peer authentication driver 46 performs authentication processing and conveys the IP packet 12 to the network device driver 48 which subsequently conveys the IP packet 12 to the network interface 49 to send to its destination.

FIG. 18 is a topological depiction of the present invention in an operating context. Two remote network devices 11 are connected to a network 20. Also connected to the network 20 are two network endpoint devices 10, a logging device 42 and an authentication device 18.

FIG. 19 is a topological depiction of the present invention in an operating context, showing a remote network device 11 conveying an IP packet 12 with a TCP header 14 containing TCP SYN bit 16 via a network 20 to a network endpoint device 10.

FIG. 20 is a topological depiction of the present invention in an operating context, showing a network endpoint device 10 conveying an IP packet 12 with a TCP header 14 containing TCP SYN bit 16 via a network 20 to an authentication device 18 performing authentication.

FIG. 21 is a topological depiction of the present invention in an operating context, showing an authentication device 18 conveying an IP packet with a TCP header 14 containing TCP SYN bit 16 after being authenticated to a network endpoint device 10 via a network 20.

FIG. 22 is a topological depiction of the present invention in an operating context, showing the flow of IP packets 12 with TCP headers 14 not containing TCP SYN bit 16 and matching a session descriptor 28 between a remote network device 11 and the network endpoint device 10 via a network 20.

FIG. 23 is a topological depiction of the present invention in an operating context, showing the authentication device 18 sending log information 50 to a logging device 42 via a network 20.

VII. Methods of Operation for Peer Authentication

There are two components in endpoint peering; the peer authentication driver 46 and the authentication device 18. The peer authentication driver 46 is installed in a network endpoint device 10, logically inserted between the network device driver 48 and the TCP/IP protocol stack 32. When an IP packet 12 containing a TCP header 14 is received by a network interface 49 it is conveyed to a network device driver 48 which subsequently conveys it to the peer authentication driver 46. At 100, the IP packet 12 is received by the peer authentication driver 46. At 102 the IP packet 12 is compared against a second table of policy rules 36.

The second table of policy rules 36 allows the authentication device 18 to define policy rules that are implemented by the peering device driver 46. An example of a policy rule 26 in the second table of policy rules 36 is a source IP address that are being blocked and thus IP packets 12 matching the source IP address will be discarded. A second example of a policy rule 26 in the second table of policy rules 36 is a destination IP address for which Identity is not being authenticated and thus IP packets 12 matching the destination IP address will be forwarded without requiring authentication by the authentication device 18. A network interface 49 can also be specified in a policy rule 26. This allows different policies to be enforced depending upon which network interface 49 an IP packet 12 is received on. An example second table of policy rules 36 is shown below:

Source IP Source Dest IP Dest Network Address Port Address Port Interface Protocol VLAN Rule 17.23.21.2 any any any any any any drop any any 21.44.2.11 any eth0 TCP any allow any any 21.44.2.45 any eth2 TCP 100 redirect to 21.4.2.47 121.32.4.2 any any any any any any drop

After any policy rules have been enforced at 110, the TCP header 14 of the IP packet 12 is checked for TCP SYN bit 16 at 104. If TCP SYN bit 16 is set, then the IP packet 12 is sent to the authentication device 18 at 112 for authentication.

The IP packet 12 being sent to the authentication device 18 may be sent directly by the peer authentication driver 46, or in an alternate embodiment, the IP packet 12 may be sent to a peer authentication management application 44. The peer authentication management application 44 maintains pre-established TCP/IP sessions with one or more authentication devices 18. The TCP/IP sessions maintained by the peer authentication management application 44 should be protected by using the SSL, TLS or other cryptographic security protection to protect information conveyed between the peer authentication management application 44 and the authentication device 18.

At 112, in addition to sending the IP packet 12 to the authentication device 18, context information may be included with the IP packet 12. Context information is information that allows the peer authentication driver 46 to process the response from the authentication device 18 without requiring the peer authentication driver 46 to save any state regarding the IP packet 12. This context information will be returned by the authentication device 18 with the IP packet 12 once the IP packet 12 has been authenticated.

At 112, in addition to sending the IP packet 12 to the authentication device 18, information about the network interface 49 may be included with the IP packet 12.

At 104, if TCP SYN bit 16 is not set in the TCP header 14 of the IP packet 12, the IP packet 12 then compared against an authenticated session table 30 at 106. The authenticated session table 30 contains session descriptors 28. Each session descriptor 28 contains session information for each active TCP session. Each session descriptor 28 also contains the identity 22 that was authenticated to establish the TCP session. The session descriptor 28 also contains authentication processing information that enables the peer authentication driver 46 to properly respond to authenticated sessions. In one embodiment, the authentication processing information includes the TAC bidirectional identity token used to communicate bidirectional authentication. The TAC bidirectional identity token is provided to the peer authentication driver 46 by the authentication device 18. If a session descriptor 28 matching the TCP session in the IP packet 12 is found, at 114, the IP packet is sent to the TCP/IP protocol stack 32.

If a session descriptor 28 matching the TCP session in the IP packet 12 is not found, at 108, the IP packet is discarded.

When an authentication device 18 receives an IP packet 12 from a peer authentication driver 46, at 116, it determines, at 118, the identity 22 of the sender of the IP packet 12. A preferred embodiment of determining the identity of the sender on the first packet of a TCP session is by using Transport Access Control (TAC). A second preferred embodiment of determining the identity of the sender on the first packet of a TCP session is by using statistical object identification (SOT). Once the identity 22 has been determined, a policy rule 26 in a first table of policy rules 27 is located that matches the identity 22.

The first table of policy rules 27 allows the authentication device 18 to define and maintain policy rules 26 based on identity 22. An example of a policy rule 26 in the first table of policy rules 27 is an identity 22 that is allowed to access a specified destination IP address. A second example of a policy rule 26 in the first table of policy rules 27 is a, identity 22 matching a specified destination IP address that will be redirected to an alternate IP address. A third example of a policy rule 26 in the first table of policy rules 27 is a wildcard rule that matches any identity 22 and instructs that an IP packet 12 will be discarded. An example first table of policy rules 27 is shown below:

Dest IP Identity Address Dest Port Protocol Group Rule John 121.34.22.15 any any eng allow Mark 121.34.21.100 any any corp redirect to 121.34.21.200 any 121.34.22.120 any any any drop none any any any none drop

Once the identity 22 and the matched policy rule 26 has been determined, the policy rule 26, at 120 is enforced. For example, if the policy rule 26 is “Allow”, then the IP packet 12, at 128, is sent back to the peer authentication driver 46.

In addition to sending back the IP packet 12 to the peer authentication driver 46, if context information was received with the IP packet 12, then context information should be returned with the IP packet 12. Additionally, if the peer authentication driver 46 requires additional information to complete the authentication processing, then authentication processing information should also be sent to the peer authentication driver 46.

At 120, if the policy is “Discard”, then the IP packet 12 is discarded, at 122. The identity 22, the lack of identity and the associated policy may also be recorded in log information 50 that is sent to a logging device 42.

A logging device 42 can be any device used for the purpose of collecting, aggregating, processing, analyzing and storing log records. Commonly a logging device 42 is a network connected device with a large storage capacity and the ability to perform advanced analytics, such as a HADOOP cluster. Less sophisticated logging devices 42 can simply aggregate and store logs set to them across the network. Splunk is a common software package that runs on a logging devices 42.

At 118, as part of determining identity 22, the receipt of the IP packet 12 in conjunction with the identity determination process may produce policy rules 26 that must be communicated to the peer authentication driver 46. For example, if during SOI processing, an attack threshold is reached, the authentication device 18 may want to block all IP packets 12 originating from a certain source EP address for a period of time. Sending a policy rule 26 to the peer authentication driver 46, at 130, allows this to happen without requiring that the authentication device 18 discard all of the corresponding IP packets 12 directly. The policy rule 26 should include an expiration so that it will expire automatically and not require additional coordination or management from the authentication device 18. If no new rules are generated, then no additional processing occurs at 126.

When the peer authentication driver 46 receives an authenticated IP packet 12 from the authentication device 18 at 132, it creates a session descriptor 28 at 134. A session descriptor 28 contains session information from the TCP header 14 in the IP packet 12. A session descriptor 28 also contains the identity 22 that was authenticated. The session descriptor 28 also contains authentication processing information that enables the peer authentication driver 46 to properly respond to authenticated sessions. The session descriptor 28 may also contain context information and information about the network interface 49 on which the IP packet 12 was originally received.

At 136, the peer authentication driver adds the session descriptor 28 to an authenticated session table 30 and then sends the IP packet 12 to the TCP/IP protocol stack 32 at 138. An example authenticated session table 30 containing session descriptors 28 is shown below:

Auth Network Context Processing Source Destination Protocol Interface Identity Info Info 17.20.3.22: 46.18.2.201: TCP eth0 Mike 0x1243 bi-token = 34566 443 0xd54a2113 11.17.2.34: 46.18.2.201: TCP eth1 John 0xcd1a bi-token = 16775 443 0x5bc32a14 17.20.3.22: 46.18.2.220: TCP eth0 Mike 0xdc32 bi-token = 34576  80 0x12cba435 11.17.2.66: 46.18.2.100: TCP eth0 Dave 0xbba3 bi-token = 23241 443 0xcb34ad56

When the TCP/IP protocol stack 32 sends an IP packet 12, it is received by the peer authentication driver 46 at 140. At 142, the IP packet 12 is compared against an authenticated session table 30.

If a session descriptor 28 matching the TCP session in the IP packet 12 is found, at 144, authenticated session processing is performed at 148. Authenticated session processing uses authentication processing information in the session descriptor 28 to properly respond to authenticated sessions. In one embodiment, the authentication processing information includes the TAC bidirectional identity token used to communicate bidirectional authentication. The TAC bidirectional identity token is provided to the peer authentication driver 46 by the authentication device 18. After authenticated session processing has been performed, the IP packet 12 is sent to the network device driver 48 at 146.

If a session descriptor 28 matching the TCP session in the IP packet 12 is not found, at 144, the IP packet 12 is sent to the network device driver 48 at 146.

When an authentication device 18 sends a policy rule 26 to the peer authentication driver 46, it is received by the peer authentication driver 46 at 150. The peer authentication driver 46 then inserts the policy rule 26 into the second table of policy rules 36 at 152.

VIII. Apparatus for Peer Authentication

The apparatus that performs peer authentication is varied and diverse. The peer authentication driver 46 is usually implemented as a software module that is loaded or linked into an operating system. The peer authentication driver 46 may be created using software or firmware and may also be offloaded to a separate processing module where the functionality is provided by software, firmware, hardware or a combination of these. The peer authentication driver 46 may also reside within a hypervisor, providing authentication services to multiple operating system instances. The hypervisor functionality may also be implemented as software or firmware and may also be implemented as a separate processing module where the functionality of the hyper visor and the peer authentication driver 46 is provided by software, firmware, hardware or a combination of these.

The authentication device 18 is a network connected device that may be created as a physically separate physical appliance. The authentication device 18 may also be created as a virtual appliance that operates within a hypervisor environment. Both the physical appliance and the virtual appliance may be constructed using software, firmware or hardware or a combination of these. In the case of a virtual appliance and hardware offload, some functions provided by the authentication appliance 18 may be offloaded to hardware offload devices available within the virtual environment.

The apparatus that performs peer authentication may be used in communications devices, security devices, network routing devices, application routing devices, service delivery devices and other devices that are enabled by the addition of the efficient authentication of identity 22 and the application of network policy based on that identity 22.

CONCLUSION

Although the present invention has been described in detail with reference to one or more preferred embodiments, persons possessing ordinary skill in the art to which this invention pertains will appreciate that various modifications and enhancements may be made without departing from the spirit and scope of the claims that follow. The various alternatives for providing an efficient means for peer authentication that have been disclosed above are intended to educate the reader about preferred embodiments of the invention, and are not intended to constrain the limits of the invention or the scope of Claims. The List of Reference Characters which follows is intended to provide the reader with a convenient means of identifying elements of the invention in the Specification and Drawings. This list is not intended to delineate or narrow the scope of the Claims.

LIST OF REFERENCE CHARACTERS

-   2 Building -   4 Security Officer -   5 Security Camera -   6 Security Monitor -   7 Image -   8 Door Unlock Signal -   10 Network endpoint device -   11 Remote network device -   12 IP packet -   14 TCP header -   16 TCP SYN bit -   18 Authentication device -   20 Network -   22 Identity -   26 Policy rule -   27 First table of policy rules -   28 Session descriptor -   30 Authenticated session table -   32 TCP/IP protocol stack -   36 Second table of policy rules -   42 Logging device -   44 Peer authentication management application -   46 Peer authentication driver -   48 Network device driver -   49 Network interface -   50 Log information -   100 Flowchart 1, Step 1 -   102 Flowchart 1, Step 2 -   104 Flowchart 1, Step 3 -   106 Flowchart 1, Step 4 -   108 Flowchart 1, Step 5 -   110 Flowchart 1, Step 2 a -   112 Flowchart 1, Step 3 a -   114 Flowchart 1, Step 4 a -   116 Flowchart 2, Step 1 -   118 Flowchart 2, Step 2 -   120 Flowchart 2, Step 3 -   122 Flowchart 2, Step 4 -   124 Flowchart 2, Step 5 -   126 Flowchart 2, Step 6 -   128 Flowchart 2, Step 3 a -   130 Flowchart 2, Step 5 a -   132 Flowchart 3, Step 1 -   134 Flowchart 3, Step 2 -   136 Flowchart 3, Step 3 -   138 Flowchart 3, Step 4 -   140 Flowchart 4, Step 1 -   142 Flowchart 4, Step 2 -   144 Flowchart 4, Step 3 -   146 Flowchart 4, Step 4 -   148 Flowchart 4, Step 3 a -   150 Flowchart 5, Step 1 -   152 Flowchart 5, Step 2 

What is claimed is:
 1. A method comprising the steps of: providing a network endpoint device (10), a remote network device (11), an authentication device (18) and a network (20); providing at least one network interface (49) at said network endpoint device (10); receiving an IP packet (12) from said remote network device (11) by said network endpoint device (10) using said network interface (49); said IP packet (12) including a TCP header (14); said TCP header (14) including a TCP SYN bit (16); conveying said IP packet (12) to said authentication device (18) via said network (20); determining the identity (22) of said IP packet (12) at said authentication device (18); selecting a policy rule (26); matching said identity (22) from a first table of policy rules (27); applying said policy rule (26) to said IP packet (12).
 2. A method as recited in claim 1, in which conveying context information to said authentication device (18) along with said IP packet (12).
 3. A method as recited in claim 1, in which conveying said network interface (49) information to said authentication device (18) along with said IP packet (12).
 4. A method as recited in claim 1, in which said authentication device (18) can be used by a plurality of said network endpoint devices (10) concurrently.
 5. A method as recited in claim 1, in which said network endpoint device (10) does not save context information regarding said IP packet (12);
 6. A method as recited in claim 1, further comprising the steps of providing an authenticated session table (30) and a TCP/IP protocol stack (32) at said network endpoint device (10); conveying said IP packet (12) from said authentication device (18) to said network endpoint device (10) via said network (20); creating a session descriptor (28) in said authenticated session table (30); and conveying said IP packet (12) to said TCP/IP protocol stack (32).
 7. A method as recited in claim 6, further comprising the steps of: conveying context information and said network interface (49) information to said network endpoint device (10) by said authentication device (18) with said IP packet (12); and storing said context information and said network interface information (49) in said session descriptor (28).
 8. A method as recited in claim 6, further comprising the steps of: conveying authentication processing information to said network endpoint device (10) with said IP packet (12); and storing said authentication processing information in said session descriptor (28).
 9. A method as recited in claim 1, further comprising the steps of conveying a policy rule (26) to said network endpoint device (10) from said authentication device (18) via said network (20); and adding said policy rule (26) to a second table of policy rules (36) by said network endpoint device (10).
 10. A method as recited in claim 9, in which expiring said policy rule (26) after a period of time.
 11. A method as recited in claim 9, in which said step of adding said policy rule (26) to said second table of policy rules (36) is performed by a peer authentication management application (44).
 12. A method as recited in claim 1, in which said authentication device (18) uses transport access control to perform authentication.
 13. A method as recited in claim 1, in which said authentication device (18) uses statistical object identification to perform authentication.
 14. A method as recited in claim 1, in which said authentication device (18) does not share with said network endpoint device (10) cryptographic keys necessary to perform said authentication.
 15. A method as recited in claim 1, in which said step of receiving of said IP packet (12) by said network endpoint device (10) further includes the steps of: selecting a matching policy rule (26) that matches some portion of said IP packet (12) from a second table of policy rules (36); and applying said policy rule (26) to said IP packet (12).
 16. A method as recited in claim 1, in which said step of receiving of said IP packet (12) by said network endpoint device (10) further includes the steps of: selecting a policy rule (26) that matches said network interface (49) information from a second table of policy rules (36); and applying said policy rule (26) to said IP packet (12).
 17. A method as recited in claim 1, further including the steps of: providing a logging device (42); conveying log information (50) to said logging device (42) by said authentication device (18); and including TCP/IP session information from said IP packet (12) and said network interface (49) said IP packet was received on in said log information (50).
 18. A method as recited in claim 1, further including the steps of: providing a logging device (42); conveying log information (50) to said logging device (42) by said authentication device (18); and including said identity (22) from said IP packet (12) in said log information (50).
 19. A method as recited in claim 1, further comprising the steps of: providing a logging device (42); conveying log information (50) to said logging device (42) by said authentication device (18); and including said policy rule (26) identity applied to said IP packet (12) in said log information (50).
 20. A method as recited in claim 1, in which said step of conveying of said IP packet (12) to said authentication device (18) is performed by a peer authentication management application (44).
 21. A method as recited in claim 15, in which said network endpoint device (10), upon receiving said IP Packet (12) from said remote network device (11), compares said IP packet (12) against entries in a second table of policy rules (36); failing to select a matching policy rule (26); and continuing with said determination the identity (22).
 22. A method comprising the steps of: providing a TCP/IP protocol stack (32) and an authenticated session table (30) at a network endpoint device (10); receiving an IP packet (12) by said network endpoint device (10); said IP packet (12) including a TCP header (14); said TCP header (14) not including a TCP SYN bit (16); matching said IP packet (12) to a session descriptor (28) in said authenticated session table (30); and conveying said IP packet (12) to said TCP/IP protocol stack (32).
 23. A method as recited in claim 22, in which information in said session descriptor (28) in said authenticated session table (30) was created by an authentication device (18); and said authentication device (18) using transport access control to perform authentication.
 24. A method as recited in claim 22, in which information in said session descriptor (28) in said authenticated session table (30) was created by an authentication device (18); and said authentication device (18) using statistical object identification to perform authentication.
 25. A method as recited in claim 22, in which said step of receiving of said IP packet (12) by said network endpoint device (10) further includes the steps of: selecting a matching policy rule (26) that matches some portion of said IP packet (12) from a second table of policy rules (36); and applying said policy rule (26) to said IP packet (12).
 26. A method as recited in claim 22, in which said step of receiving of said IP packet (12) by said network endpoint device (10) further includes the steps of: selecting a policy rule (26) that matches said network interface (49) information from a second table of policy rules (36); and applying said policy rule (26) to said IP packet (12).
 27. A method comprising the steps of: providing a peer authentication driver (46), a TCP/IP protocol stack (32), a network device driver (48), a network interface (49) and an authenticated session table (30) at a network endpoint device (10); said peer authentication driver (46) receiving an IP packet (12) from a TCP/IP protocol stack (32); locating a session descriptor (28) corresponding to said IP packet (12) in said authenticated session table (30); processing said IP packet (12) in accordance with said session descriptor (28); sending said IP packet (12) to said network device driver (48); and sending said IP packet (12) to said network interface (49).
 28. A method as recited in claim 27, in which said session descriptor (28) in said authenticated session table (30) was created by an authentication device (18); and said authentication device (18) using transport access control to perform authentication.
 29. A method as recited in claim 27, in which said session descriptor (28) in said authenticated session table (30) was created by an authentication device (18); and said authentication device (18) using statistical object identification to perform authentication. 